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17 SEP 1981 
MEMORANDUM FOR: See Distribution 
a a 
= arector of Information Services, DDA 
SUBJECT : Evaluation of the Agency's Information Security 
Program by the Information Security Oversight 


Office 


1. For your information, attached is the latest evaluation of the 
Agency's information security program prepared by the Information Security 
Oversight Office. As you will note, the findings generally are favorable 
and the recommendations for improvement relatively minor. 


2. Please thank the participants for their cooperation during this 
inspection and commend them for a job well done. 


Attachment: 
As stated 
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SUBJECT: Evaluation of the Agency's Information Security Program 
by the Information Security Oversight Office 


Distribution: 
Director, Intelligence Community Staff 
Director, National Foreign Assessment Center 
Chairman, National Intelligence Council 
Deputy Director for Operations 
Deputy Director for Science and Technology 
General Counsel 
Inspector General 
Comptroller 
Director, Equal Employment Opportunity 
Director of Personnel 
Director of Policy and Planning 
Executive Secretary 
Director of Communications 
Director of Data Processing 
Director of Finance 
Director of Logistics 
Director of Medical Services 
Director of Security 
Director of Training and Education 
Chief, Classification Review Division 
Chief, Information and Privacy Division 
Chief, Regulations Control Division 
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“sul 28 1994 
Mr. Harry E. Fitzwater 
Deputy Director for Administration 
Central Intelligence Agency 
Washington, DC 20505 


Dear Mr. Fitzwater: 


Over a period of several months analysts of the Information Security Oversight Office 
(ISOO) have conducted inspections of several Directorates and offices in the Central 
Intelligence Agency (CIA). The inspections were conducted in accordance with the 
provisions of Section 5-2, Executive Order 12065. We believe that the enclosed report, 
documenting the findings of the ISOO analysts, represents an accurate picture of those 
aspects of the programs evaluated and offers reasonable proposals for improvement. 


The review has shown that the CIA has an excellent information security program. | 
encourage the CIA to continue its support in implementing the provisions of the Order. 


| appreciate the cooperation and courtesy extended to [SOO analysts during the 
inspections. Be assured that ISOO will assist in any way possible to help your agency 
meet the goals of Executive Order 12065. 
Sincerely, 
a 2 - 
. a Te Abo A 
L 


STEVEN GARFINK 
Director 


ATTACHMENTS: 


I. Inspection Report 
2. Areas, Dates and Subjects of Inspection 
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ATTACHMENT NO, | 


1. 


INFORMATION SECURITY OVERSIGHT OFFICE 
INSPECTION OF THE CENTRAL INTELLIGENCE AGENCY 


GENERAL 


The Information Security Oversight Office (ISOO), established under Executive 
Order 12065, is responsible for monitoring Executive branch agencies and their 
actions to implement the provisions of the Order, Overall policy direction is 
provided to ISOO by the National Security Council. Sections 5-202 (a) and (h) of 
the Order authorize ISOO to conduct onsite reviews of the information security 
program of each agency that handles classified information. In compliance with 
the above provisions, Jane Payne and Harold Mason, ISOO analysts, conducted 
five reviews of various phases of the Central Intelligence Agency's (CIA) 
information security program. Areas, dates and subjects of the inspection are 
provided on Attachment No. 2. 


FINDINGS 


A. Status of Implementation. Throughout the CIA, there is consistency in 
marking, safeguarding, classification and general compliance with the 
provisions of the Order and ISOO Implementing Directive No. 1. This is 
attributable to (1) excellent training provided to all personnel; (2) the use 
of specialized classification guides and (3) other programs that prescribe 
the requirements for the protection of intelligence activities, sources, 
methods and other sensitive information. The inspections indicate that CIA 
personnel have an excellent understanding of the Order and colnply with its 
provisions. 


1. Classification. 


a. Original Classification. Officials granted original classification 
authority are designated in writing and Jimited in number. 
Extensive use of classification guides limits the number of 
original classification decisions to a minimum, 


b. Identification and Markings. CIA's compliance with the portion 
marking provision of the Order is commendable. In many 
instances, documents reviewed contained subportion marking in 
addition to the portion marking. This is extremely beneficial to 
user agencies who incorporate or paraphrase information from 
CIA documents in subsequent reports. 


The manner in which CIA marks its documents, when utilizing a 
classification guide, is among the most complete and thorough of 
any agency the analysts have inspected. Instead of merely 
identifying the guide the classifier also identifies the section in 
which the subject matter is located; the person who derivatively 
classifies the document; the date for review or declassification; 
and the reason for extension, when extended. When more than 
one section of the guide is used, the classifier identifies the 


guides and sections after each paragraph and marks "multiple 
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source" in the "derived from" section of the stamped marking. 
This procedure enabled the ISOO analysts to conduct an audit 
trail in a minimum period of time. 


c. Derivative Classification. The CIA is one of the few agencies 
which identifies personnel authorized to classify derivatively . 
This is beneficial for administrative pur poses, 


d. Classification Guides. Classification guides have been published 
for each of the four directorates and have been in use since 
1978. Recently, a consolidated guide has been prepared for the 
use of all four directorates. This consolidated guide is presently 
being coordinated within CIA prior to publication. 


2. Systematic Review for Declassification. 


3. 


The present CIA commitment to the systematic review for 


declassification (SRD) oe involves approximately[__personnel 


with a budget in excess of (not including buildings, 
computer inment, etc.). It is anticipated that the program will 
reach (including a 5 percent inflation factor) if continued 
until 1988. 


Administrative support for Freedom of Information Act (FOIA), SRD 
and mandatory review is provided by the same organizational unit. 
Declassified records are not segregated after review in order to 
maintain the integrity of the original files. Hlowever, CIA notifies the 
Carrollton Press whenever they declassify material. The CIA has set 
aside a reading room for release of information to the media, public 
interest groups and other members of the public to review 
declassified material upon request. 


Safeguarding. 


The CIA is in compliance with the safeguarding procedures 
established under the Order. 


B. Document Review. 


a. 


DDS & T/FBIS. The ISOO analysts reviewed reports in the Production 
and Analysis Branch which were compiled threugh overt collection 
procedures. One of these reports (TRENDS) is occasionally marked 
with a security classification such as "Confidential-declassify in six 
months." Since this report is based upon information already in the 
public domain (newspapers, radio broadcasts) fhe analysts challenged 
its justification. The CIA explained that they were currently 
conducting a six-month study into the propriety of using a security 
classification on this type of report. ISOO requests that it be 
apprised of the results of this study. 


DCI/OLC. Several minor marking deficiencies were noted, mainly 
concerning memoranda for the record; some facked portion markings 
and others bore no markings other than the level of classification. 
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c. DDO/DCD. The majority of documents reviewed were original 
classification decisions and contained no portion marking. The 
analysts were informed that the reports contained raw intelligence 
information making it impossible to determine the proper portion 
markings. 


lil. CONCLUSIONS 


The Central Intelligence Agency appears dedicated in its desire to comply fully 
with the provisions of the Order. Officials interviewed were cognizant of the 
Order and implementing directive and sincere in their desire to implement a 
strong information security program. 


IV. RECOMMENDATIONS 
|. After the study has been completed on the TRENDS report in DDS&T/FBIS, 
and a determination made; provide ISOO with information on the decision. 
(Section I] B a) 


2. Provide additional guidance to DCI/OLC on the proper procedures for 
marking. (Section Il B b) 


3. Determine if documents generated in DDO/DCD can be portion marked. 
(Section I] B c) 
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ATTACHMENT No. 2 


AREAS, DATES AND SUBJECTS OF INSPECTION 


DATES 
FEB. 25, 1981 


March 18, 1981 


April 8, 198] 


May 14, 1981 


June 23, 1981 


AREA OF VISIT 


DDA/OIS 


DDS & T Registry 


NFAC/OER 
DDS & T/FBIS 
DDA/OIS 


DDA/ODP 
NFAC/OCO 


DCI/OLC 
DDA/OIS 


DDO/DCD 


DDO/Geograpnical 


Area 


DDA/OIS 


SUBJECTS 


The Use of Computers to 
Enhance Security Briefing 


DDS & T's Computer Assisted 
Registry Briefing and 
Document Review 


Briefing and Document 
Review 


Briefing and Document 
Review 


Systematic Review for 
Declassification Briefing 


Project Safe Briefing 


Briefing and Document 
Review 


Briefing and Document 
Review 


Briefing on Classification 
Guides 


Briefing and Document 
Review 


Document Review 


Review of Visits and Out 
Briefing 
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ROUTING AND RECORD SHEET 


SUBJECT: (Optional) 7 : : 
Evaluation of the Agency's Information Security Program by the 


Information Security Oversight Office 
EXTENSION — 


FROM: 
feotmme Director of Information 
Services DATE 17 SEP 1981 
06 Ames Building = 
Protas ee a ataee rte Pee 7: OFFICER'S COMMENTS (Number each comment to show from whom 
INITIALS to whom. Draw a line across column after each comment.) 
RECEIVED FORWARDED 
1. 
C/CRD 
322 Ames Building 
2. , 
CLlOFS 
3. - 
CfAQM 
4. i 
C / INT 
5 = 
C/S+T 
6. ; 
c Je kD 
/ a 
8. 
9. 
10. 
11. 
12. 
13. 
14, 
15. 


EDITIONS 


S jOUS 
FORM 6] 0 USE _PREVIOU 
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